How to Setup Samba as Primary Domain Controller in Linux

Samba is used by sysadmin to overcome the problem of interoperability in a mixed environment where you have both Linux and Windows. It provides a common platform for both Windows and Linux to have a common sharing space.

Domain controller is a service which is used for centralized administration of users, groups or any objects in the network. This service enables us to manage, authenticate, and secure the users login and related data.

This tutorial explains how we can configure Samba on Linux as a primary domain controller.

1. Setup Proper Host Name

Make sure you’ve setup the appropriate hostname and static ip. If you are using internal ip-address, and if you like to access it from the internet, setup appropriate NAT rules on your firewall.

In this tutorial will use tgs.example.com as the hostname.

# vi /etc/sysconfig/network 
HOSTNAME=tgs.example.com

Make sure it has appropriate static ip-address setup in the ifcfg-eth0 file.

# vi /etc/sysconfig/network-script/ifcfg-eth0
IPADDR=192.168.101.1
NETMASK=255.255.255.0

Also, assign the gateway and dns accordingly in your /etc/sysconfig/network and /etc/resolv.conf file.

Verify that your /etc/hosts file has an entry similar to the following.

# vi /etc/hosts
192.168.101.1	tgs.example.com	tgs

Also, make sure NTP service is setup and running properly on this server.

2. Install Samba from Source

On CentOS, by default samba packages will not be installed for minimal installation type.

First, install the following dependent packages.

# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5 git-core openldap-devel 

Next, download the samba source as shown below.

# git clone git://git.samba.org/samba.git sambaserver

The files will be downloaded to sambaserver directory. Install the samba server as shown below.

cd sambaserver

./configure  --enable-debug --enable-selftest

make

make install

Samba will be installed in the default location /usr/local/samba/bin. You’ll see several samba client utilities installed under this directory.

# cd /usr/local/samba/bin/ 

# ls 
cifsdd       ldbsearch   ntdbrestore    regshell    smbcquotas  tdbbackup 
dbwrap_tool  locktest    ntdbtool       regtree     smbget      tdbdump 
eventlogadm  masktest    ntlm_auth      rpcclient   smbpasswd   tdbrestore 
gentest      ndrdump     oLschema2ldif  samba-tool  smbspool    tdbtool 
ldbadd       net         pdbedit        sharesec    smbstatus   testparm 
ldbdel       nmblookup   pidl           smbcacls    smbtar      wbinfo 
ldbedit      nmblookup4  profiles       smbclient   smbta-util 
ldbmodify    ntdbbackup  regdiff        smbclient4  smbtorture 
ldbrename    ntdbdump    regpatch       smbcontrol  smbtree 

3. Setup Domain Provision

To start the domain provision, execute the samba-tool as shown below. This will pickup the default hostname and domain name from the configuration files.

# /usr/local/samba/bin/samba-tool domain provision 
Realm [EXAMPLE.COM]: 
 Domain [EXAMPLE]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
 DNS forwarder IP address (write 'none' to disable forwarding) [125.22.47.125]: 8.8.8.8 
Administrator password: 
Retype password: 
...
...
Adding DNS accounts 
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com 
Creating DomainDnsZones and ForestDnsZones partitions 
Populating DomainDnsZones and ForestDnsZones partitions 
Setting up sam.ldb rootDSE marking as synchronized 
Fixing provision GUIDs 
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf 
Once the above files are installed, your Samba4 server will be ready to use 
Server Role:           active directory domain controller 
Hostname:              tgs 
NetBIOS Domain:        EXAMPLE 
DNS Domain:            example.com 
DOMAIN SID:            S-1-5-21-2869186506-3515775153-2841826798 

4. Start Samba Service

Start the samba service, as shown below.

/usr/local/samba/sbin/samba 

Add the following entry to rc.local file to make sure samba service starts automatically during system startup.

# echo /usr/local/samba/sbin/samba >> /etc/rc.d/rc.local 

# cat /etc/rc.d/rc.local 
touch /var/lock/subsys/local 
/usr/local/samba/sbin/samba 

5. Check Samba Version

YOu can verify the samba version using samba or smbclient command as shown below.

# /usr/local/samba/sbin/samba -V 
Version 4.2.0pre1-GIT-913b2a1 

# /usr/local/samba/bin/smbclient -V 
Version 4.2.0pre1-GIT-913b2a1 

The following command will display all Samba shares that are currently available.

# /usr/local/samba/bin/smbclient -L localhost -U% 
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-913b2a1] 

	Sharename       Type      Comment 
	---------       ----      ------- 
	netlogon        Disk      
	sysvol          Disk      
	IPC$            IPC       IPC Service (Samba 4.2.0pre1-GIT-913b2a1) 
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-913b2a1] 

	Server               Comment 
	---------            ------- 

	Workgroup            Master 
	---------            ------- 

Verify that you are able to login using the administrator username and password.

# /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator -c 'ls' 
Enter administrator's password: 
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-913b2a1] 
  .   D        0  Fri Feb 21 15:06:15 2014 
  ..  D        0  Fri Feb 21 15:06:28 2014 
57901 blocks of size 8388608. 54372 blocks available 

6. Verify Domains

Now let us check if the domain is functioning as expected. Check the SRV and A record as shown below.

# host -t SRV _ldap._tcp.example.com 
_ldap._tcp.example.com has SRV record 0 100 389 tgs.example.com. 

# host -t SRV _kerberos._udp.example.com 
_kerberos._udp.example.com has SRV record 0 100 88 tgs.example.com. 

# host -t A tgs.example.com 
tgs.example.com has address 192.168.101.1

Use the samba-tool command to verify the realm name as shown below.

# /usr/local/samba/bin/samba-tool testparm --suppress-prompt | grep realm 
	realm = EXAMPLE.COM 

7. Configure Kerberos

Copy the sample krb5.conf file to the /etc directory.

cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf 

Set the default_realm to your domain name. In this case, we’ll set it to example.com

# cat /etc/krb5.conf 
[libdefaults] 
	default_realm = EXAMPLE.COM 
	dns_lookup_realm = false 
	dns_lookup_kdc = true 

Use kinit command to make sure the Kerberos is setup properly as shown below.

# kinit administrator@EXAMPLE.COM 
Password for administrator@EXAMPLE.COM: 
Warning: Your password will expire in 41 days on Fri Apr  4 15:06:25 2014 

Finally, you can use Windows remote administrator tool to connect to the Samba server and use it as a domain controller.

If you face any issues during the above process, make sure you bring the system up-to-date by updating all packages. You can also disable SELinux temporarily, and review the audit.log for any SELinux related error messages. Also, make sure your IPTables rules are not blocking the ports that are required by Samba to communicate between the servers.